Red team engagements are often high-octane, fast-paced, and dynamic in nature. Operators may juggle several engagements at once due to high demand. This has led to the need to automate red team infrastructure.
This session aims to address how red team operators can automate the process of creating ready-to-go payloads, without having to sacrifice custom capabilities in the name of leveraging already existing open-sourced dropper frameworks to automate payload creation. First, we will take a look at leveraging Office interop objects to automate the creation of macro-embedded Word documents using C#. Next, we will address incorporating our own loader mechanisms to load shellcode blobs into memory — specifically taking a look at thread hijacking, while incorporating Donut-generated shellcode along the way. We will dissect execution with WinDbg and explain some of the nuances surrounding different loader mechanisms and the suspicious telemetry they can generate. Third, we will look at how operators can persist these shellcode blobs within the document, and kicking off execution via VBA. Lastly, we will touch on modularity of such automation frameworks and how operators can continue to incorporate additional capabilities along the way — expanding the overall capabilities, tradecraft and Tactics, Techniques, and Procedures (TTPs) of red team operators.